Shulou(Shulou.com)06/01 Report--

1 preface

The main functions of the operation and maintenance fortress machine are authentication, authorization, and audit, and each manufacturer is slightly different. × × is a complete open source fortress machine system, which has all the functional modules of the general commercial fortress machine, easy to install and easy to use. comprehensive functions and ease of use are exactly the same as commercial hardware fortress machines.

2 the concept and variety of fortress machine

In terms of topology, fortress machines are divided into two types.

2.1 Gateway type fortress machine

Generally, the two-layer transparent bridge method is used to access the network, and the general topology is in front of the operation and maintenance users. when the operation and maintenance users do the operation and maintenance, the traffic passes through the gateway fortress machine, and the fortress machine audits the user's operation. This kind of fortress machine was designed by some foreign manufacturers before 2012, but rarely by domestic manufacturers. Because this kind of fortress machine online needs to modify the network topology, and it is difficult to achieve SSO, use release and other functions, it is now very rare, with a market share of less than 1%.

2.2 Operation and maintenance audit fortress machine

Now the universal fortress machine is in the form of bypass access, which is physically bypass and logically serial. When users want operation and maintenance, it is necessary to jump through the fortress machine to log in. This kind of fortress machine is a general form, because it does not modify the network topology and can finish SSO, use release and other functions, it has become the mainstream form of domestic fortress machine.

Xxx chooses this form to develop and design.

3 × × working principle

3.1 × × Planning principle

* is equivalent to a proxy server (Proxy Server) for operation and maintenance personnel, and its workflow is shown below:

Figure 1. Schematic diagram of work flow of fortress machine

1) during the operation, the operation and maintenance personnel should first pick up the fortress machine, and then submit the operation request to the fortress machine.

2) after the request is checked by the permission of the fortress machine, the user agent module of the fortress machine will replace the user to connect to the target equipment to complete the operation, and the target equipment will return the operation results to the fortress machine in the future. finally, the fortress machine returns the operation results to the operator.

Through this method, the fortress machine logically separates the operation and maintenance personnel from the target equipment, and establishes a management form from "operation and maintenance personnel-> fortress machine user account-> authorization-> target equipment account-> target equipment account-> target equipment". While dealing with operational authority control and practice audit questions, it also deals with encryption protocols and graphics protocols that cannot be audited by agreement.

3.2 × × working principle

The schematic diagram of the working principle of × × is as follows:

Figure 2. Schematic diagram of working principle of fortress machine

In the actual application scene, the operators of the fortress machine can be divided into three types of users: managers, operators and auditors.

The most important responsibility of the administrator is to equip the security policy of the fortress machine according to the corresponding security strategy and the operation authority that the operation and maintenance personnel should have. After the administrator of the fortress machine logs in to the fortress machine, the Policy Management component is responsible for interacting with the administrator and storing the security policy entered by the administrator into the strategic equipment library inside the fortress machine.

The application agent component is the core of the fortress machine, which is responsible for the operation of the user in the transit dimension and interacts with other components within the fortress machine. " After receiving the operation request from the operation and maintenance personnel, the "Application Agent" component calls the "Policy Management" component to verify the operation behavior, which is based on the policy configuration library already configured by the administrator. If the operation does not comply with the security policy, the "Application Agent" component will reject the execution of the operation.

After the operation behavior of the operation and maintenance personnel is verified by the "policy management" component, the "application agent" component completes the corresponding operation instead of the operation personnel connecting the target equipment, and returns the operation result to the corresponding operation and maintenance personnel. At the same time, the operation process is submitted to the "audit module" inside the fortress machine, and then the operation process is recorded in the audit log database.

Finally, when the historical operation records of the operation and maintenance personnel need to be investigated, the auditor logs in to the fortress machine to query, and then the "audit module" reads the corresponding log records from the audit log database and displays them on the auditor interface.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.